Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Hi! Would you please assist me with the following: My audio volume (wave master volume) is automatically reset to zero every few minutes and at longer interval a IE popup appears showing a random advertisement. The task manager shows 2 iexplore.exe running, and when I end their task, they reappear a few seconds later.

I mainly use Opera. I already tried Spybot SD, Malwarebytes and Combofix, all without success.

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.

The fixes are specific to your problem and should only be used for this issue on this machine!

The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.

If you don't know, stop and ask! Don't keep going on.

Please reply to this thread. Do not start a new topic.

Refrain from running self fixes as this will hinder the malware removal process.

It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

this is my home computer and is currently used 100% for personal purposes.

OK and thank you for the clarification.

Peer to Peer Advice:

Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs. It is posted here.

As a condition of receiving our help, I have included the P2P program FrostWire 4.20.6 in the removal instructions below, so we are not wasting our time.If you have used this, you can be fairly confident this is a principal reason your computer is infected.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, FrostWire and Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.

It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs. Besides being illegal, these files also are loaded with "planted" malware.

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Ask ToolbarFrostWire 4.20.6Java(TM) 6 Update 5Windows Defender

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Note:Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Next:

If you were not prompted to reboot your machine by TFC(Temp File Cleaner), please do so now, thank you.

Next:

Please provide a new Uninstall List from HijackThis as follows:-

Run HijackThis and click on Open the Misc Tools section.

Click Open Uninstall Manager...

Click Save list... and save it to your Desktop.

Copy and paste the file uninstall_list.txt into your next reply.

Next:

Going back to this you mentioned in your first post:-

I already tried Spybot SD, Malwarebytes and Combofix, all without success.

You should not use such a powerful application as ComboFix without trained supervision as the high chance your machine could end up nothing more than a expensive doorstop!

Anyway I would like to review both the Malwarebytes' Anti-Malware and ComboFix logs before we proceed any further please. They can be located as follows:-

Combofix should be found at:-

C:\combofix.txt

MBAM should be found at:-

Launch Malwarebytes' Anti-Malware >> Click on the Logs radio tab.

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered?

Thank you for you help thus far. Unfortunately the problem persists - my audio volume gets auto-adjusted to zero and two IE instances are running invisibly in the background, periodically creating a pop-up advertisement. I did not encounter any additional problems.

I could not find the Combofix log. I removed Combofix right after I used it and I suspect the log was simultaneously removed.

Unfortunately the problem persists - my audio volume gets auto-adjusted to zero and two IE instances are running invisibly in the background, periodically creating a pop-up advertisement. I did not encounter any additional problems.

OK and thanks for the update.

I could not find the Combofix log. I removed Combofix right after I used it and I suspect the log was simultaneously removed.

Fair play. If any further action is required concerning the uninstallation of Combofix I will be able to determine such from the scan results I will be asking you to carry out in due course.

Next:

I am going to ask your good self to run a couple of benign scans before I advise any proactive measures. This is so I can research more indepth about your machine and attempt to identify/pinpoint any remaining malware.

Computer Name: LULUEvent Code: 1003Message: Your computer was not able to renew its address from the network (from theDHCP Server) for the Network Card with network address 001CC0297B70. The followingerror occurred: The operation was canceled by the user..Your computer will continue to try and obtain an address on its own fromthe network address (DHCP) server.

Computer Name: LULUEvent Code: 36Message: The time service has not been able to synchronize the system timefor 49152 seconds because none of the time providers has been able toprovide a usable time stamp. The system clock is unsynchronized.

Computer Name: LULUEvent Code: 7000Message: The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

No, I wasn't aware that port 3128 is open. I used this computer at work up to about 18 months ago. There we used the proxy shown in your post. When I took the computer home I just deselected Use a proxy server for your LAN... in Control Panel >> Internet Options >> Connections >> LAN Settings, thinking it would disable the proxy settings. I suppose it means that port 3128 was open the whole time!

The only router I use is the DSL modem / router to which this computer (and sometimes my work laptop) connect.

I reset the firewall as you instructed. Is it acceptable to allow an exception for Opera?

No, I wasn't aware that port 3128 is open. I used this computer at work up to about 18 months ago. There we used the proxy shown in your post. When I took the computer home I just deselected Use a proxy server for your LAN... in Control Panel >> Internet Options >> Connections >> LAN Settings, thinking it would disable the proxy settings. I suppose it means that port 3128 was open the whole time!

OK thanks for the update and we can address this in due course.

The only router I use is the DSL modem / router to which this computer (and sometimes my work laptop) connect.

It would be prudent then to reset this and apply a new admin password if the modal has such a feature.

I reset the firewall as you instructed. Is it acceptable to allow an exception for Opera?

Well doing so will basically mean anything the browser Opera does will not be monitored so a possible avenue that could be exploited. If the DSL modem/router you have incorporates what is know as a NAT(network address translation) firewall you overall protection is further but basically only actually in-bound protection is given.

If you wish to keep Opera as a exception I suggest you periodically perform a check here: ShieldsUP!

Next:

Is you machine still experiencing the original symptoms at all? I have two further benign scans below for your good self to carry out before addressing what I have identified so far.

I also discovered that, when I restart the computer with no internet connection (DSL modem switched off), the original symptoms are not present. They also do not reappear even if I establish an internet connection thereafter, as long as I don't restart the computer. If I restart the computer with the internet connection allready established, the original symptoms are back.

Unknown boot code has been found on some of your physical disks.To inspect the boot code manually, dump the master boot sector:remover.exe dump <device_name> [output_file]To disinfect the master boot sector, use the following command:remover.exe fix <device_name>

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.